Since the first computer virus in the world was born in 1983, computer viruses have been evolved and updated continuously with the development of computer and network technologies over the last twenty years. Now, computer viruses, such as Trojans, worms and backdoors, can not only destroy computer systems, but also steal important information, such as the password of user's accounts, thereby threatening seriously the normal usage of computers, and even possibly causing great economic loss. Therefore, how to prevent viruses from intruding has become the most concerned focus.
One of the important steps of preventing a virus from intruding is to recognize the virus before its infringement, i.e., virus scanning, in order to inhibit it from further infringing on a computer system by taking appropriate measures timely. One of virus-scanning methods commonly used by current antivirus software is signature scanning. That is, the files to be examined are scanned using signatures extracted from virus samples, to detect and eliminate files infected by viruses.
However, in such traditional virus-scanning method, the signatures of the viruses are extracted only after the virus samples are captured, resulting that virus scanning and killing always lag behind the emergence of the viruses. For example, when a new virus emerges, a user will be infringed on, even if he has installed such antivirus software. This problem can only be solved after the upgrade of the antivirus software and the update of the virus library, which, however, lags seriously behind the emergence of the virus.
Now, new unknown viruses and new varieties of the existing viruses emerge endlessly, meanwhile, some anti-scanning technologies aiming at the traditional method also emerge. Thus, the disadvantage of lagging of the traditional virus-scanning method becomes more and more obvious, and real-time monitoring programs depending on the traditional method are practically being useless.
Recently, considering disadvantages of the traditional signature scanning, a computer protection method based on behavior characteristics of a computer program is proposed in antivirus field. In this method, by intercepting an action of a computer program, it could be analyzed whether this action is initiated by a virus or not. This computer protection method could recognize new varieties of the existing viruses and some relatively-simple new viruses, to a certain degree. However, for some viruses with good concealment which implement invasive behavior by calling a system program or a secure program, the probability of success of this protection method remains lower.
For example, one recently prevalent backdoor, “Backdoor.GPigeon”, is a virus with good concealment. After its main program “c:\A.exe” runs, it replicates itself to the system directory “c:\windows\”, renames its replica as “wservices.exe”, and then exits after starting the replica “wservices.exe”. After the starting of “wservices.exe”, “iexplore.exe” (a system file) within the system is started directly, and then the process image of “wservices.exe” is written into the process space of “iexplore.exe”, and the execution privilege is obtained so as to make an infringement using “iexplore.exe”.
In the “Backdoor.GPigeon”, a virus runs hiddenly within the normal system program “iexplore.exe”, the procedure in which the virus makes an infringement involves successively three processes, i.e. “A.exe”, “wservices.exe” and “iexplore.exe”, and the main program “A.exe” of the virus has already ended before real infringing behavior is implemented. Thus, the “Backdoor.GPigeon” may cheat virus-scanning software completely in monitoring of the actions, thus it hides virus code successfully into the process space of “iexplore.exe”. In this case, with the existing simple method for behavior and action analysis, it is difficult to recognize the viruses with good concealment.
At present, with the development of computer technologies, the viruses with good concealment, like “Backdoor.GPigeon”, become more and more prevalent. Therefore, there is a need for a new computer protection method to recognize such malicious programs which makes infringements by initiating a plurality of processes.